Software updates bring Flashback, Flash disabling to OSX

This is a discussion on Software updates bring Flashback, Flash disabling to OSX within the Mac OS X forums, part of the Mac Software category; Apple on Monday released two software updates that bring recent OS X Lion security fixes regarding Java and Adobe Flash Player to Macs running previous ...

Software updates bring Flashback, Flash disabling to OSX

One month after rolling out a dedicated Flashback malware removal tool for OS X 10.7 Lion, Apple has released a "Leopard Flashback Removal Security Update" for the legacy OS.

The 1.23MB download will scan a Mac's hard drive for the Flashback trojan and, if found, will remove the malicious code that at one point affected over 600,000 Macs worldwide. The security update also disables the Java plug-in in Safari, though users can reactivate it by navigating to the Security tab in Safari > Preferences.

Mac OS X Leopard's second update disables versions of Adobe's Flash Player in Safari that do not have the most current security protocols. If detected, Leopard will display a dialog notifying users that the latest Flash Player is not running and will provide a link to the appropriate download. A similar fix was provided last week in a Safari update that followed the rollout of OS X Lion 10.7.4.

Leopard Security Update 2012-003 weighs in at 1.11MB and can be downloaded via Software Update or Apple's Support page.

Adobe releases Flash update to address new attacks on Mac and Windows

In a security advisory published on Thursday, Adobe announced the immediate availability of a patch covering two newly discovered Flash vulnerabilities that are being exploited "in the wild."

The two bugs, one affecting Apple's Mac platform and another attacking Microsoft's Windows, exploit certain Flash player vulnerabilities to install malware onto users' systems, reports ArsTechnica. While users of other operating systems like Linux have yet to report attacks, Adobe's advisory notes the exploit affects all platforms.

Designated as CVE-2013-0634, the first vulnerability targets the Safari and Firefox Web browsers running on OS X, and is also being used as a trojan to deploy Microsoft Word documents containing malware. For Mac users, the flaw affects Adobe Flash Player version 11.5.502.146 or earlier.

From Adobe's release:

Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.

The second bug, cataloged as CVE-2013-0633, only affects Windows machines and uses a similar Microsoft Word document trojan to execute attacks.

The Adobe Flash patch can be found on the company's website, and users can visit this page to check if their software is the most curent 11.5.502.149 version.

Apple blocks older versions of Flash in Safari

Apple has updated the plugin-blocking component in Safari to prevent earlier versions of Flash from being used, a new support document states. Lion, Mountain Lion, and Snow Leopard users are affected. The update comes in response to recently-discovered vulnerabilities in Flash that have already been patched by Adobe, but which could impact people who don't update on a regular basis.

As a rule, Apple has taken a more aggressive stance on security problems in recent years. Java is no longer included in OS X by default, and since Snow Leopard the OS has included a malware protection component which Apple can update remotely to block new threats. The company has had to take a slower approach with iOS, since fixing any problems with the firmware requires a new point release.